Meltdown and Spectre: Current Status 01/12/2018

By Robert Meyers and Sean Andrews

The vulnerabilities known as Meltdown or Spectre are new vulnerabilities announced last week to the world at large. They are based on a process called speculative execution which is a technique that became popular in the mid-nineties to improve processor performance.

In most cases, these vulnerabilities don’t allow an external unauthorized party to gain access to a system, although it could allow a party that has access to the system to access unauthorized data. However, this is the current state. These vulnerabilities are typically weaponized into malicious websites and malware. At that point these vulnerabilities will become significantly more dangerous. These at that point we can expect these exploits to be used to recover all information in memory (including passwords and tokens) as well as inject commands into the computers processor.

As your technology partner we are working on building a strategy to aid in defending our clients. Currently that is mainly still in testing, the same as ever other provider. We wanted to update you with current findings.

Windows Workstations

On average current machines will see around six percent performance degradation on average from the Microsoft patches. However, there is a complication around anti-virus and anti-malware platforms which is currently be worked on. This complication causes boot issues and crashing. Additionally, the patches currently have a similar impact when deployed to AMD based machines, there are similar issues. As it is common to have more than one anti-virus Microsoft and the anti-virus and anti-malware providers are working on a solution. Additionally, a new patch attempt by Intel is causing random reboots and is simply not recommended for production. Please note that older systems will have increasing impact from the patching. Our current recommendation and practice is to test and monitor. These solutions are not yet ready for wide spread production without a level of predictable instability and should be limited to administrative systems on demand.

Mac Workstations

Currently only High Sierra from Apple is being updated. There are no currently reported errors from our or our partners testing that we have seen. As such, we are agreeing with the Apple recommendation on deploying the upgrade to any Macs to High Sierra (10.13.2 supplemental update) and patch. There is a performance impact, however in testing it has appeared stable and between 1% and 6% performance degradation.

Applications

We are currently waiting on updates from most software vendors, however Chrome should be updated on Jan 23 (as currently advised), however they have a recommendation to help mitigate part of Spectre. IBM will start rolling out some fixes in February, although there is limited information so far released. Microsoft currently has a series of patches for Internet Explorer, Edge and SQL. Due to the instability being seen, our current strategy is to only deploy these to administrative systems.

Anti-Virus / Anti-Malware

We have confirmed that one of our partner’s Webroot SecureAnywhere 9.0.18.xx is compatible with the Microsoft patches, however it does require that a registry key is set before being deployed. There is a version being developed that will place and manage this registry key (a part of a Windows Computer’s DNA) automatically, and we recommend waiting for this.

Microsoft currently deploys Windows Defender Antivirus, System Center Endpoint Protection, and Microsoft Security Essentials that are compatible with the January 2018 security updates and have set the required registry key.

Currently there are versions of Avast, Avira, AVG, ESET, F-Secure, BitDefender, Kaspersky, Sophos, Malwarebytes, and Symantec that are declaring as compatible and deploying the required registry key as per Microsoft’s guidelines. However, please note that Microsoft has published that future updates will require the registry key is set. As always, our recommendation is to maintain a system under protection. However, version changes will need to be managed.

Servers

Performance on servers can be critical, and the Microsoft and Linux patches that have been released are showing very large performance degradation. Often averaging 30% degradation once patched. As such a strategy is being reviewed for server protection although please note that as long as there is no browsing or general use of a server, there are less attach vectors. Patches are being refined and alternative strategies are being reviewed including isolation. We are working with partners and monitoring the industry recommendations.

Cloud Providers

Azure, AWS and Google have been deploying mitigation. At this time other SaaS and IaaS providers are working on independent strategies. We are monitoring this situation.

Firmware Updates

Most systems will need to install both operating system and hardware/firmware updates for all available protections. Intel has committed to releasing updates to more than 90% of processor products by 1/15. AMD is making firmware updates available for Ryzen and EPYC owners this week, and the company is planning to update older processors “over the coming weeks.” These updates are given to the hardware manufacturers who then have to make the bios updates for each system. Expect newer and higher volume systems to have firmware updates available first. See Additional resources of this Microsoft Article for links to OEM Device Manufacturers. Please note that we are waiting for more feedback from testing and community results for future planning before making full recommendations for firmware.

SCCM and WSUS

The community has identified issues with some of the patches deployed by WSUS, and SCCM which utilizes WSUS, are not showing up as available to install on some systems. The patches will show up as Installed / Not Applicable. These systems have the Anti-Virus registry key in place. Even bypassing WSUS and scanning directly from Microsoft will not show the patches as needed. This TechNet forums post documents the issues the community is having. If the issue really is the requirement of older parent patches being installed then we expect the patches will be re-released to address this. Our strategy and recommendation at this point is to delay patching and wait for more information at this time.